Is Snare suitable for forensics?

SUMMARY

Aug 21, 2015

The Snare server is designed with forensic examination in mind. Audit log data is stored in a highly compressed, but standards-compliant format suitable for export to third party analysis tools, or for analysis on-server. The highly compressed log data implies that the server can store immense quantities of information on disk, available for analysis without resorting to archive/backup media.

In a similar vein, the Snare Agents also forward data in a non-proprietary format. Although event filters allow administrators to selectively filter and forward log information of particular importance, the agents are programmed in such a way to be very light on system resources. This provides the opportunity for the administrator to collect a wide range of events, and large number of events per second, that may be not immediately critical to the security posture of the organisation, but may be useful as tangential forensic support material for future investigations.

The Snare Agents also extrapolate localised information from audit event logs that are critical for long term forensic follow-up, but may be transitory on the source server. Examples include UID to username conversion, and localised windows string extrapolation. The Snare Agents do not remove any information from the source log data, and once written to the target Snare server, log collections can be cryptographically fingerprinted, with checksums archived to support long term validation of source data.